1. Field of the Invention
Embodiments of the invention relate to managing permissions in a network environment and, in particular, to systems and methods for maintaining permission information for a plurality of network users.
2. Description of the Related Art
Authentication and authorization are two important processes in maintaining security in a computer network environment. Many directories (e.g., Microsoft's ACTIVE DIRECTORY), network operating systems or other software systems authenticate a user's identity through the use of credentials, such as a unique combination of a username and password. When the user attempts to exercise a right or permission, the system can prompt the user to provide the appropriate credentials. In this way, intelligent decisions about granting, denying or revoking rights or permissions to computer resources, data, a computer network and/or to perform administrative tasks or other activities can be controlled and restricted to particular user(s) or group(s) of users.
Sometimes, however, a username can change, and/or multiple users may be given access to a single username. In view of the foregoing, computer systems are often programmed to assign to each user or group of users a unique identification, such as a security identifier (SID), that generally remains constant. In certain embodiments, the management of permissions is performed by associating a SID with each permission that the user has been granted, denied or revoked with respect to a particular resource (i.e., authorization).
Over time, as users and/or groups are granted, denied, revoked and/or changed permissions with respect to particular resources, the number of places in which the user's or group's SID is used grows tremendously. For instance, it would not be unreasonable to find in a single organization millions of permissions assigned to SIDs with respect to resources on network devices. This becomes particularly challenging when an auditor or administrator needs to determine where a specific user or group has been granted, denied or revoked permissions. Moreover, because of the distributed nature of most computer networks, some of which may span the globe, it is often logistically difficult to determine where to look to identify where a user or group has been granted, denied or revoked permissions to resources.
A typical method for determining where a user or group has been granted, denied or revoked permissions is to use a customized application designed to read security permissions in the entire network. Thus, each time the effective rights or permissions for a user or group need to be identified, the permissions listing for each resource on each computer on the network is scanned. In medium and large environments with dozens, hundreds or thousands of computers, the volume of data and computer processing power for such scans can easily consume available resources and disrupt other users. Moreover, once these scans have been completed, the results are immediately out-of-date as additional permissions are granted, denied, revoked and/or modified.
Another problem with attempting to scan the entire network environment to find the cumulative permissions of a user or group is that there is a high likelihood that no permission has been granted to a user or group on a particular computer; however, each computer on the network still must be scanned to eliminate such a possibility. Moreover, such scans can generate incomplete results if one or more of the network devices is offline or otherwise unavailable during the scan.